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Boolean functions is an important tool in computer sciences. It is espe- 
cially useful in private key cryptography for designing stream ciphers. For 
security reasons, and also because Boolean functions need also to have other 
properties than nonlinearity such as balancedness or high algebraic degree, 
it is important to have the possibility of choosing among many Boolean func- 
tions, not only bent functions, that is functions with the highest possible 
non linearity, but also functions which are close to be bent in the sense that 
their nonlinearity is close to the nonlinearity of bent functions. For m odd, 
it would be particularly interesting to find functions with nonlinearity larger 
than the one of quadratic Boolean functions (called almost optimal in [I]). 
This has been done for instance in the work of Patterson and Wiedemann 
[S] and also of Langevin-Zanotti 

Let q = 2 m and F2™ assimilated as a vector space to F™. In this talk, 
we want to study functions of the form Tr G(x), where G is a polynomial on 
F2™ and Tr the trace of F2™ over F2. 

For m even, many people got interested in finding bent functions of this 
form. To only mention the case of monomials, one can get the known cases 
(Gold , Dillon/Dobbertin, Niho exponents) in the paper of Leander [5]. 

For m odd, one might have expected that among the functions / : x — ► 
Tr G{x) where G is a polynomial of degree 7, there are some functions which 
are close to being bent in the previous sense. This happens not to be the 
case, but we will show that for m odd such functions have rather good 
nonlinearity or autocorrelation properties. We use for that recent results of 
Maisner and Nart [7] about zeta functions of supersingular curves of genus 
2. 
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On the other hand, vectorial Boolean functions are used in cryptography 
to construct block ciphers. An important criterion on these functions is a 
high resistance to the differential cryptanalysis. Nyberg [8] has introduced 
the notion of almost perfect nonlinearity (APN) to study differential attacks. 
We relate this notion to the notion above, and we will give some criterion 
for a function not to be almost perfect nonlinear. 

1 Preliminaries 

1.1 Boolean functions 

Let m be a positive integer and q = 2 m . 

Definition 1.1 A Boolean function with m variables is a map from the 
space V m = F™ into F 2 . 

A Boolean function is linear if it is a linear form on the vector space V m . 
It is affine if it is equal to a linear function up to addition of a constant. 

1.2 Nonlinearity 

Definition 1.2 We call nonlinearity of a Boolean function f : V m — > F2 
the distance from f to the set of affine functions with m variables: 

nl(f) = mm d(f,h) 

h ajjine 

where d is the Hamming distance. 

One can show that the nonlinearity is equal to 

nl(f)=2 m - 1 -±\\f\\ O0 

where 

ll/lloo = sup ^ x (/(#) + v ■ x) , 

V&V ™ X&Vm 

where v ■ x denote the usual scalar product in V m and x(f) = ( — 1) ■ It is 
the maximum of the Fourier transform of x(f) (the Walsh transform of /): 

f( v ) = H X (f{x) + v-x). 
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Parseval identity can be written 

ll/lll = 1 E f(vf = q 
9 vev m 

and we get, for / a Boolean function on V m : 

VQ< \\f\\oo<q. 
1.3 The sum-of-square indicator 

Let / be a Boolean function on V m . Zhang and Zheng introduced the sum- 
of-square indicator [14j . as a measure of the global avalanche criterion: 

°f = - n Y, /(*) 4 = ll/lll 

q xdV m 

We remark that 

||/|| 2 < ll/IU < ll/lloo. (1) 

Hence the values of ||/||4 may be considered as a first approximation of ||/||oo 
and in some cases they may be easier to compute. The relationship of this 
function with non-linearity was studied by A. Canteaut et al.pQ. 

2 The functions / : x — ► Tr {G{x)) where G is a 
polynomial 

2.1 Divisibility of ll/IU 

Let G{x) be the polynomial J2t=o a i x% w ith coefficients in F q and / the 
Boolean function Tr oG. 

Definition 2.1 The binary degree of G is the maximum value of o~(i) for 
< i < s, where a(i) is the sum of the binary digits of i. 

One has the following proposition, due to C. Moreno and O. Moreno [6]. 

Proposition 2.1 Let G be a polynomial with coefficients in F q and binary 
degree d. Then ||/||oo is divisible by 2^~d\ 
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2.2 Case where G is a polynomial of binary degree 2 

The H/lloo are multiple of 2^t1. Therefore, if 77i is even ||y||oo is a multiple 
of q 1 / 2 , and if m is odd, of \/2q. In particular, if m is odd, the spectral 
amplitude is higher or equal to y/2q which is equal to that of the quadratic 
Boolean functions, of the maximum rank. 



3 The functions / : x — ► Tr (G(x)) where G is a 
binary polynomial of degree 3 

One simply will study the case where G is a binary polynomial of degree 2 
to which one adds a monomial of degree 7: 

G = a 7 x 7 + J2bix 2 ' +1 

where aj ^ a polynomial of degree 7 with coefficients in k. We would 
like to evaluate ||/||4 on for f(x) = Tr (G(x)) where Tr indicates the 
function trace of F q on F2: 

m— 1 

Tr(cc) = x 2 . 
i=0 

One obtains the simple expression of ||/||4 (cf [10} fTT) ) : 



4 = £ ^ (/fa) + /(^) + f(x 3 ) + f(x4)) =q 2 +J2X a 

xi+X2+x 3 +X4=0 aek" 

with 

I tt =(^X°Tr(G(.)+G(x + «))) 2 . 

To compute X a , one can remark that the curve of equation y 2 + y = G(x + 
a) + G{x) is isomorphic to 

y 2 + y = G(a) + 

+ (a 7 a 6 + a 7 /4 a 3 / 4 + a 7 /2 a 5 / 2 + £(6^ + £ 6,a 2 >+ 

+ (a 7 a 4 + a 7 /2 a 1/2 )x 3 + a 7 a 2 a; 5 

which is an equation of a curve Ci of genus 2 for One has 

X a = {#C l -q-l) 2 . 

To compute X a , we will need results of Van der Geer - van der Vlugt 
and of Maisner - Nart. 
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3.1 Van der Geer and van der Vlugt theory 

Let C\ the curve with affine equation: 

Ci : y 2 + y = ax 5 + bx 3 + cx + d 

with Let R be the linearized polynomial ax 4 + bx 2 + c 2 x. The map 

Q : k -> F 2 

x i ► Tr(xP(x)) 

is the quadratic form associated to the symplectic form 

k x k — ► F 2 

(x,y) i ^ < x,y > R = Tr(xP(y) + yP(x)). 

The number of zeros of Q determines the number of points of C\: 

#C 1 (fc) = l + 2#Q- 1 (0). 

Let W be the radical of the symplectic form <, >jj, and w be its dimension 
over F 2 . The codimension of the kernel V of Q in W is equal to or 1. 

Theorem 3.1 (van der Geer - van der Vlugt ]13^) 
IfV^W, then #Ci(fc) = 1 + q. 
IfV = W, then #Ci{k) = 1 + q ± ^2^- 

3.2 Values of X a 

In [3], we study the factorization of P which determines V and W (see 
Maisner-Nart [7J). Thanks to the work of van der Geer - van der Vlugt, we 
can compute the number of points of the curves y 2 + y = G(x + a) + G(x). 

Proposition 3.1 Suppose that m is odd. Then 

X a = or 2q or 8q. 

Let £ = aj 1/3 a- J / 3 . Then 

X a = 8q if and only if 

Tr^ = , £ = v + v A with Tr v = , 

Tr(^±^^ =1 Tr(i^±^(, + , 2 ))=1 ; 

X a = 2q if and only if Tr £ = 1 ; 
X a = in the remaining cases. 
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4 Evaluation of ||/||| 

Proposition 4.1 The 

Ti (G(x)) is such that 



Proposition 4.1 The value of [|/[|| on ¥2*™ when m is odd and f(x) 



f-3q 2 \< 185.2 s - V /2 - 



Proof 

One can evaluate the number of a which gives each case of the preceding 
proposition. The proves of these evaluations are linked with the computa- 
tions of exponential sums over the curve v + v 4 = jx 7 . We get 



#{a I X a 



#{a I X a = 2q} 



1 



< 23.2 s ~y/ 2 

< 3q 1/2 + 1 



One deduce easily the evaluation of H/H4. The details of the proof will 
appear in [3]. 

Remark 4.1 This result is to be compared with proposition 5.6 in fWjj where 
the distribution of\\ f\\f for all Boolean function is shown to be concentrated 
around 3q 2 . 
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5 Bound for ||/| 

From the theorem, we can deduce some lower bounds for n ; 1 x .. 



Proposition 5.1 For the functions f : x — ► Tr (G(x)) on F2™. where G is 
the polynomial G = a^x 7 +J2 S biX 2l+l and m is odd one has, form < 11 + 2s: 



>2q < 

For m > 15 + 2s, one has moreover: 

^2~q< 
Proof 

The evaluation of the number of a such that Tr£ = 1 in proposition 13.11 
gives: 



2q 2 -6q 3 / 2 < """ 
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As it is easy to show that 

ll/llt < <?ll/H 2 oo 

we get 2q — Qq 1 / 2 < WfW 2 ^ whence the result, as ||/||oo is divisible by 2 T^/ 3 1 . 
The second inequality is a consequence of theorem 14,11 

Remark 5.1 So f is not almost optimal (in the sense of fj]/), for m > 
15 + 2s. 

6 APN Functions 

Let us consider a function G : F q — ► F q . 

Definition 6.1 The function G is said to be APN (almost perfect nonlin- 
ear) if for every a £ F* and b £ F q , there exists at most 2 elements ofF q 
such that G(z + a) + G(z) = b. 

Proposition 6.1 The function 

G : F q — > F q 

s 

7 i 2 i -4-l 

X I ^ CI7X + y j OjX 



is not APN for m > 13 + 2s. 
Proof 

For 7 G Fg, consider the function fj(x) = Tr(G(7x)). The propo- 
sition follows from proposition 14.11 and the following result from Chabaud- 
Vaudenay [2]. 

Proposition 6.2 One has ""(/y) > 2g 2 (g — 1). 

7€fc* 

T/ie function G is APN if and only if the equality is true. 

For s < 2, one can even say more. The following theorem [12] proves 
that the function G is not APN for m > 11. 

Theorem 6.1 Let G be a polynomial from F2™ to F2™, d its degree. Let 
us suppose that the curve of equation 

Xq + xf + x$ + (xp + xi + x 2 ) d _ 
(x + xi)(x 2 + xi)(rc + z 2 ) 

is smooth. Then if m > 6 and d < g 1 / 6 + 3.9, G is not APN. 
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